ctxis/CAPE

ERROR: Failed to run the processing module "Dropped":

YESIHACK opened this issue · 23 comments

YESIHACK commented

Hi I'm having an issue with CAPE connecting to my guest VM. I have verified that networking is not the issue and am able to curl vmip:8000 and get code 501. I continually get

2019-08-09 10:34:46,303 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet
2019-08-09 10:34:47,305 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet
2019-08-09 10:34:48,306 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet
2019-08-09 10:34:49,307 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet
2019-08-09 10:34:50,309 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet
2019-08-09 10:34:51,311 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet
2019-08-09 10:34:52,313 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet
2019-08-09 10:34:53,314 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet

and no activity on my VM. After timeout I get the following error

2019-08-09 10:35:02,698 [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module "Dropped":
Traceback (most recent call last):
File "/home/cuckoo/CAPE/lib/cuckoo/core/plugins.py", line 197, in process
data = current.run()
File "/home/cuckoo/CAPE/modules/processing/dropped.py", line 28, in run
file_names = os.listdir(self.dropped_path)
OSError: [Errno 2] No such file or directory: '/opt/CAPE/storage/analyses/6/files'

After going to the dir I noticed the "files" dir doesn't exists. Any tips for resolving this issue.

doomedraven commented

yes that isn't really failing, that just need a better check if folder exist, nothing else

YESIHACK commented

how does this folder get created? Also how does CAPE connect to guest vm. tried looking for traffic with wireshark but can't find packets that reach out to guest vm.

doomedraven commented

it connect to agent, agent listen on vm on port 8000, and host listen on port 2042

are you able to do this once vm started

curl vm_info:8000 that should give you error 50x is you get that that means all works as expected, can you verify that?

YESIHACK commented

This is what I get when I curl the guest VM that is running the agent.

cuckoo@ubuntu:/opt$ curl 192.168.100.101:8000

<title>Error response</title>

Error response

Error code 501.

Message: Unsupported method ('GET').

Error code explanation: 501 = Server does not support this operation.

also CAPE has something listening on 2042

root@ubuntu:/opt# netstat -tulp |grep 2042
tcp 0 0 ubuntu:2042 0.0.0.0:* LISTEN 9637/python

Both the VM and host can ping each other. FireWall is off on guest VM.

root@ubuntu:/opt# ping 192.168.100.101
PING 192.168.100.101 (192.168.100.101) 56(84) bytes of data.
64 bytes from 192.168.100.101: icmp_seq=1 ttl=128 time=0.520 ms
64 bytes from 192.168.100.101: icmp_seq=2 ttl=128 time=0.404 ms
64 bytes from 192.168.100.101: icmp_seq=3 ttl=128 time=0.541 ms
64 bytes from 192.168.100.101: icmp_seq=4 ttl=128 time=0.503 ms
64 bytes from 192.168.100.101: icmp_seq=5 ttl=128 time=0.404 ms

doomedraven commented

well it looks like everything works, maybe you have something wrong in cuckoo.conf or your hypervisor not sure whihc one do you use

doomedraven commented

ok make sure that in cuckoo.conf the result server is 192.168.100.1 and machinery is kvm

YESIHACK commented

Machinery is KVM and CAPE is able to load the virtual machine and start from the snapshot. I am not using the script you shared I manually installed from an old tutorial related to Cuckoo. I KVM is working fine
Capture
Capture1

as seen in the photo attached.

doomedraven commented

that is not enough log for second one, so provide full log

+if you installed kvm from using apt then test it with vm detection and it will be caught https://github.com/LordNoteworthy/al-khaser

YESIHACK commented

Thanks for that test. I am a student setting this up as a lab project. I was looking into vm detection scripts.

Here is full log.
https://gist.github.com/YESIHACK/10fb67add91840f28fa672e196d76e66

doomedraven commented
YESIHACK commented

I am able to Curl the virtual machine the virtual machine and shown above and ping reach the vm from the host machine. Not sure what causing this issue to occur.

doomedraven commented
YESIHACK commented

Here is the log don't see anything not normal
Cuckoo conf log
https://gist.github.com/YESIHACK/53bb0bc7d83783a38317e778d963b8fe

doomedraven commented
YESIHACK commented

So after taking a break and coming back to the issue. I took a closer look at guest.py and noticed that it is getting the IP of the Results server. Is the the results server supposed to be guest VM IP?. I changed line 36 "self.ip = 'ip'" to "self.ip = '192.168.100.101'" to test it and looks to be communicating fine now. I think its importing the IP of the resultserver.

doomedraven commented
YESIHACK commented

Yaa The problem is that guest.py is importing "from lib.cuckoo.core.resultserver import ResultServer" and using HostIP when it should be using the guestip to connect. IP is declared variable in the resultserver.py

doomedraven commented

heh if that would be in that way how it would works till now? ;)

YESIHACK commented

Sorry I was wrong spacing was the problem. in the .conf file there was a space so

IP=192.168.100.101 snapshot = Win7Snapshot

there was a space in the beginning of snapshot

Rookie mistake. All is good.

kevoreilly commented

Awesome - glad it worked out and you now have a working instance :-)

YESIHACK commented

Yes, and thanks you all for your help. Hopfully this helps whoever has the same issue.

  • 👍1
doomedraven commented

i think the best would be just add an strip on config load so it wouldn't care about spaces :)